HoneyLens Frida ADR — Application Detection & Response

build 0.04 · active development HoneyLens Frida ADR

HoneyLens Frida — eBPF-Based Application Detection & Response

Runtime application detection & response built on eBPF: tracepoint and uprobe-based hooks that catch the moment a process pivots into unexpected behaviour — a service spawning a shell, an SSL library being called from an unusual library, a setuid binary opening a network socket. Sentinel agents run on production hosts; events stream to a central collector for correlation against the HoneyLens classifier and the SIEM forwarder pipeline.

eBPF tracepoints + uprobes 5 sentinel hosts DefectDojo + SIEM AGPL-3.0

Sentinels live

production hosts running the agent

Collector host

.165

lab-internal aggregation

Build

0.04

pre-1.0 active development

Licence

AGPL-3.0

aligned with HoneyLens Sensor

What It Does

HoneyLens Sensor watches the network. HoneyLens Frida ADR watches inside the host. The two are complementary — the sensor catches an attacker as they arrive on the wire; the ADR agent catches them after they've landed and started moving.

Tracepoint hooks on kernel events that matter for post-exploitation: sched_process_exec, sys_enter_execve, sys_enter_connect, sys_enter_openat with target-path filtering, and the standard syscall set for credential access.
Uprobe hooks on the symbols that are interesting from an attacker perspective — SSL_read / SSL_write (to see plaintext even when libraries terminate TLS internally), system / popen in unusual call sites, dynamic loader entry points.
Pivot detection. The agent maintains a per-process baseline (what this process normally does in its first 60 seconds) and flags deviations. A web server suddenly spawning /bin/sh is the canonical alert.
Event shipping. Structured JSON events stream to the central collector via a thin authenticated channel. The collector enriches with the HoneyLens classifier and forwards to DefectDojo (for finding management) and the existing SIEM fan-out (Loki, optional Wazuh / Splunk / Elastic / webhook).

Deployment

The honeylens-sentinel-agent systemd unit ships with each install and runs as a privileged service (the eBPF programs need CAP_BPF / CAP_PERFMON). Currently deployed on five sentinel hosts in the lab; the sensor1 install includes it as part of the base HoneyLens stack.

What’s Next

Build 0.05: container-aware mode — cgroup v2 tracking so events are attributed to the right container, with Kubernetes pod metadata enrichment via the cri-tools socket.
Public detection rule pack covering the OWASP Top 10 post-exploitation patterns (suspicious child processes from web servers, reverse shells, encoded payload execution, file write to unusual paths).
Cross-correlation with HoneyLens Sensor events — if the sensor caught an attacker on the wire AND the ADR agent caught a process-pivot at the same time, that's a confirmed compromise rather than just a probe.